I'm putting HTMLPurifier through some tests to make sure that everything works as expected. I'm using examples from http://ha.ckers.org/xss.html. I think everything I coded is 'correct' but I am able to pass one of the xxs examples right through. Can anybody assist me?
Here is the page common1.php it declares a function and processes the data:
$config = HTMLPurifier_Config::createDefault();
// configuration goes here:
$config->set('Core.Encoding', 'UTF-8'); // replace with your encoding
$config->set('HTML.Doctype', 'XHTML 1.0 Strict'); // replace with your doctype
function purify($data){
$purifier = new HTMLPurifier($config);
// untrusted input HTML
$pure_html = htmlspecialchars($purifier->purify($data));
return $data;
}
?>
And here is my debug script that attempts (and succeeds 0_o) in passing xxs:
<?php
include('common1.php');
$t = "<IMG \"\"\"><SCRIPT>alert(\"XSS\")</SCRIPT>\">";
echo purify($t);
?>
You're returning the unpurified markup. Change your return statement:
function purify($data){
$purifier = new HTMLPurifier($config);
// untrusted input HTML
$pure_html = htmlspecialchars($purifier->purify($data));
return $pure_html;
}